problem to decrypt AES

Question

Hello, 
&nbsp;  
&nbsp; I have currently some problems with to decrypt AES encrypted string in f5 irules. 
&nbsp;  
&nbsp; In fact It works well when I encrypt and decrypt a string in the same irule, but if I want to decrypt an already encrypted string then the AES::decrypt function return an empty string. Of course the key used to decrypt the encrypted string is the key I used to encrypt this one. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;      
&nbsp;    /* Below is the part working */ 
&nbsp;     set ::key be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8 
&nbsp;     log local0. "key: $::key" 
&nbsp;  
&nbsp;     set ::toencrypt "test" 
&nbsp;     log local0. " $::toencrypt" 
&nbsp;  
&nbsp;     set ::encrypted [b64encode [AES::encrypt $::key $::toencrypt]] 
&nbsp;     log local0. "encrypted: $::encrypted" 
&nbsp;  
&nbsp;     set ::decrypted [AES::decrypt $::key [b64decode $::encrypted]] 
&nbsp;     log local0. "decrypted: $::decrypted" 
&nbsp;  
&nbsp;  
&nbsp;   /* the following example doesn't work */ 
&nbsp;     set ::alreadyencrypted "if5fcuQNslSrend46PiyfBV/Bu60+lfXLAN76wSFxtmk13EnzNi0Zfu/" 
&nbsp;     log local0. "alreadyencrypted: $::alreadyencrypted" 
&nbsp;     set ::decrypted2 [AES::decrypt $::key [b64decode $::alreadyencrypted]] 
&nbsp;     log local0. "alreadydecrypted: $::decrypted2" 
&nbsp; } 
&nbsp;  
&nbsp; I'm asking if there is not something else to do to declare the encrypted string (bold line). 
&nbsp;  
&nbsp; Do you know what to do to fix this problem? 
&nbsp;  
&nbsp; Many thanks

jcohen · Answer

When specifying a key to AES::encrypt or AES::decrypt it 
can either be a key object as generated by AES::key (a string with the correct format) or a passphrase.  &nbsp;
&nbsp;The AES::key command generates object represented as a list with 3 elements or a string in the format "AES (128 | 192 | 256) &lt;32, 48, 64 HEX digits respectively&gt;".  If you are using a string to set the key, it must be in this format.&nbsp;
&nbsp;A string that does not match the above format will be interpreted as a passphrase and will be used (along with random salt) to generate a key.  This is where AES::decrypt is affected by ID224113.&nbsp;&nbsp;
&nbsp;You need to change
&nbsp;set ::key be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8
&nbsp;to 
&nbsp;set ::key "AES 256 be474444865c70f3e13624aec61eb292cef6cf5c4ce1725dd4fa49a93bf997c8"&nbsp;
&nbsp;Now, using global variables and CMP is a whole other discussion. :)
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html&nbsp;
&nbsp;Jason&nbsp;

hooleylist · Answer

Now, using global variables and CMP is a whole other discussion. :) 
&nbsp;  
&nbsp; For 10.x you can use the static:: namespace 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/static 
&nbsp;  
&nbsp; Aaron

Forum Discussion

problem to decrypt AES

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Decrypting TLS with the tcpdump sslprovider

PowerShell to iRule AES-CBC conversation using random IV values

Source_Addr Persistence Problems

encrypted cookie generation and decryption

TLS Fingerprinting - a method for identifying a TLS client without decrypting